Endpoint Security
,
Fraud Management & Cybercrime
,
Internet of Things Security
No OpSec Measure Is Bulletproof to the Effects of a Corrupted Supply Chain
Secure communications in an age of network insecurity has focused mostly on encryption and fears of surveillance tracking. But as this week revealed to the dismay of terrorists and criminals alike, no OpSec measure is bulletproof to the effects of a corrupted supply chain.
See Also: How to Unlock the Power of Zero Trust Network Access Through a Life Cycle Approach
Hezbollah militants earlier this year decided smartphones were too great a risk given their incessant location transmissions and reputation as targets of advanced spyware. A switch to old-school pagers would cut out all of that. But Hezbollah forgot one fundamental component: the hardware supply chain. The evidence is a slew of killed or maimed militants harmed by exploding devices rigged with high-grade plastic explosives, apparently by the Israeli government.
Organized crime faces a similar conundrum in the wake of an international law enforcement operation that infiltrated and disrupted yet another supposedly secure, encrypted platform, called Ghost, and arrested its now deanonymized operators and users. Australian police were able to penetrate the Ghost network by “smart software engineering and modification of updates to those devices to essentially turn them into surveillance devices,” an Australia Federal Police official said.
Ironically, the shift to putatively more secure communication devices caused the very security problems the criminals sought to avoid – capture and death.
Individuals briefed on the Hezbollah operation said Israel built front companies to sell pagers and walkie-talkies and offered two versions of each device depending on the buyer: a normal one, as well as a version that used “batteries laced with the explosive PETN,” The New York Times reported Wednesday. Experts said only a small amount of explosive would have been needed to kill, blind or otherwise maim combatants, not least because before the pagers exploded, they beeped with a high-priority alert, after receiving a message labeled as being from Hezbollah leadership, which likely led many users to raise the devices to their eyes.
“A threat model should always look at the hardware first – and what’s in the hardware,” said Alan Woodward, a cybersecurity expert who’s a professor of computer science at England’s University of Surrey. “Was there nobody from Hezbollah going to wherever these pagers were being manufactured and at least sampling them to see what was being packaged up?”
Disrupting supply chains is a known intelligence agency tactic, used not least by the U.S. National Security Agency, which a decade ago was tied to intercepting and altering computer equipment when it was in transit to customers, sometimes by adding viruses or custom firmware. Security experts say Israel’s intelligence apparatus is largely second to none and is known for agile thinking and an asymmetric approach honed by the existential threat posed to the country by its adversaries.
“In counterterrorism, we talk about a 3D chess game,” said Cyjax CISO Ian Thornton-Trump, who began his career in military intelligence at the end of the Cold War.
Israel may have talked up its mobile phone surveillance capabilities precisely to drive adversaries to seek a communications alternative it could exploit and to keep them in a perpetual state of disruption – both to “increase the cost of operations” as well as the likelihood they’d make exploitable errors, Thornton-Trump said.
So what comes after smartphones, pagers and walkie-talkies? Much of Hezbollah is organized into clandestine cells, and the leadership issues “one to many” commands directly to small cells with no connections to each other, experts say.
“If they’re reduced to pen and paper and fax communications, they’re easier to intercept, so they’ll put it into code,” perhaps carried by more human couriers, Thornton-Trump said. But couriers can be captured and interrogated by special forces, and codes can be cracked by signals intelligence agencies.
Cybercriminals likely don’t face a danger of exploding pagers but they’re also left with a paucity of trusted alternatives to the encrypted telephone services that police keep rolling up. They might move back to commercial smartphones, backed by burner SIMs and VPN services, as well as encrypted messaging apps such as WhatsApp, Signal or Telegram secret chats. But the physical devices – at least – remain at risk of being subverted by law enforcement and intelligence agencies, the University of Surrey’s Woodward said.
“The other thing about having a command-and-control structure based on burner phones – and criminals have found this in the past – is that you have to keep some sort of log of who’s on what number or what address today,” he said. “So that database suddenly becomes a prime cybersecurity target, and if you can get hold of that, you’ve got your targeting list for the next few days.”